Skip to main content

What is this infection? It was identified in scan as: 1 infection has been identified
W32.Deceptor.Surfshark                            C:\ProgramData\Caphyon\Advanced Installer\{7DE31F91-EAE8-4282-A766-8808055D9CF6}\SurfsharkSetup.exe - 5EFCDC05BC1DCB425D4FCAFA08326744

I believe when error came up on scan that SurfsharkSetup.exe and cmf2bo0t.exe were also identified as being involved. Anybody know what this infection is, how it got on my computer, what damage it could do and how to prevent it from coming back?  Thanks. 

Hello @us00051 

 

Yes it’s marked bad in the Webroot Cloud Database. http://snup.webrootcloudav.com/SkyStoreFileUploader/upload.aspx

 

 

If you feel it’s in error contact Webroot Support and put the line you posted in the ticket! Webroot Customer Service

 

@DanP

 

Thanks,


@us00051 

 

Can you provide more context to when you received this? Do you use SurfShark VPN software? I believe this might be a false positive as that hash has very low detections on VT, the file is also digitally signed with a valid cert. I’d put in a ticket to have that changed. 

 


Regards
John​​​​​​​


I got this message using WebrootSecureAnywhere ran : Tue 2022-04-12 13:47:16                           System Analysis completed in 35 seconds (v9.0.31.84)

This comes straight from the log I downloaded after getting the infection warning message. 

I do subscribe to the Surfshark VPN software. I have been probably using it for about 2 years and never got any warning messages like this before. 

Thanks for your help and any additional help you can provide or tips for additional trouble shooting.

 


@us00051 

This sounds like a false positive for sure. I’d say the Webroot agent is picking up some module in SurfShark as a PUA/PUP and flagging it. 

I’d place a ticket with support to have it looked at and changed.

If you receive no further warnings or alerts AND your SurfShark works, you could just leave it and see. I’m pretty confident you aren’t infected. 

Regards
John


@us00051 I got the file whitelisted in the Webroot Cloud Database!

 

“Hello,

We have whitelisted this file and it should be good after another scan.

Regards,

Webroot Support”

 

 


Nice work @TripleHelix 

 

Feel free to ping me on these FPs as I have access to that DB and can make these changes as well. 


With this last message from Tyler I take it that what was first potentially identified as an infection is a false positive and that I should no longer be concerned. Please let me know if you think otherwise. And finally I would like to thank all of you who have participated in this thread to alleviate my concerns. Your efforts on my behalf are much appreciated. 


Nice work @TripleHelix 

 

Feel free to ping me on these FPs as I have access to that DB and can make these changes as well. 

Sure thing but I was hoping the OP would contact Webroot support. It only took 13 minutes to get a reply! 😎

 

Webroot Support (Apr 14, 2022 15:03)

RE:Possable False Positive

Hello,

We have whitelisted this file and it should be good after another scan.

Regards,

Webroot Support

Your Message (Apr 14, 2022 14:50)


Nice work @TripleHelix 

 

Feel free to ping me on these FPs as I have access to that DB and can make these changes as well. 

Sure thing but I was hoping the OP would contact Webroot support. It only took 13 minutes to get a reply! 😎

 

Webroot Support (Apr 14, 2022 15:03)

RE:Possable False Positive

Hello,

We have whitelisted this file and it should be good after another scan.

Regards,

Webroot Support

Your Message (Apr 14, 2022 14:50)

This is a good call @TripleHelix  Our Support is very responsive! And we have to log things like FPs internally and track them.

 

Please open the tickets and I can help expedite if needed!


Good catch and thanks for whitelisting it. Seem to be a few more false positives lately? Or am I just noticing them more?


Reply